European Affairs

EU Negotiators Announce Privacy Safeguards in Move to Single Digital Market     Print Email
By James D. Spellman, Strategic Communications LLC

spellmanTo replace outmoded and varying national data protection rules that undermine the creation of a European digital single market, negotiators from the Commission, Council and Parliament unveiled a far-ranging policy to strengthen privacy safeguards that would give 500-million Europeans more control over their personal data while imposing tougher restrictions on law enforcement’s use of private data.


"These new pan-European rules are good for citizens and good for businesses," European commissioner for Justice, Consumers, and Gender Equality Vera Jourova said. "Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market."

“We all know personal data is part of our whole lives everywhere today. Everyone will be concerned, and we had to take our time to take everyone’s interest into account,” said Jan Philipp Albrecht, Parliament’s rapporteur on the regulation.

While some hailed the reforms as revolutionary in their benefits, Silicon Valley and high-tech companies commiserated about the headaches ahead in addressing financial and logistical burdens. Digital Europe, the Brussels-based trade organization whose members include Google and Microsoft, criticized the agreement. "As the EU institutions enter the final stages of negotiations on the draft regulation, the question over whether a proper balance has been reached between supporting privacy rights and enhancing economic competitiveness still remains," the group said.[1] “The final text falls short of the original intentions for this crucial piece of legislation….[It] will undermine the ability of businesses in Europe to invest, innovate and create jobs.”

After four years of wrangling, including more than 4,000 amendments, the policy agreement ironed out by the Commission, Parliament, and the Council is contained in “General Data Protection Regulation,” which will replace the “1995 Data Protection Directive.” These will be the biggest change in 20 years.

Founded on the principle the privacy is a human right, the new policy reflects the EU’s response to Europeans’ outrage over the 2013 Snowden revelations about U.S. government data mining and surveillance. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information. And they can enjoy all the services and opportunities of a Digital Single Market. We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage,” said Andrus Ansip, Commission Vice President for the Digital Single Market.

The scope of the agreement expands territorial reach by not only applying to EU-based companies but also to companies located outside the EU that offer goods or services to EU residents or monitor their behavior ("European rules on European soil”). It also establishes “direct liability” for data controllers and processors; the older laws only applied to data controllers.

Specific provisions in the 200-page draft include:

     • “Right to be Forgotten”: Europeans will be able to demand that organizations holding any personal data delete all that data.

     • Notification Requirements: Companies will be required to inform customers within 72 hours if their personal information has been breached.

     • Data Portability: Requirements for organizations to provide easier, faster processes for Europeans to transfer their data from one service provider to another.

     • “One-stop-shop”: Businesses subject to the regulation “will only have to deal with one single supervisory authority,” specifically the member-state in which the company is established, according to the press release announcing the agreement, citing a €2.3 billion savings annually.

     • Heavy Fines: Companies may be fined up to 4 percent of their annual global revenue for violations of the Regulation, with the heaviest fines intended for those with repeated and egregious violations. National data-protection authorities will have the power to impose fines on companies directly, rather than having to go through courts, as is sometimes now the case.

     • Age of Consent for Children: Member-states can establish their own age of consent for children to use social media, so long as the limit is between 13 and 16 years of age.

With approval won in the EU Parliament’s Civil Liberties Committee, a vote by the entire Parliament is likely in January 2016. If passed, the 28 members states of the European Union will have two years to transpose the provisions of the GDPR into their national laws. In the meantime, companies are being advised to do a comprehensive legal and technical assessment on what personal data they are processing and how, as well as how they inform Europeans about their processing procedures.


 [1]Press release, “EU Data Protection Reform:  Agreement falls short of the stated aim.”  December 16, 2015. http://www.digitaleurope.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=1078&PortalId=0&TabId=353